The Payment Card Industry Security Standards Council (‘PCI SSC’) has had a busy year thus far updating both its Card Production Security Requirements and its Data Security Standards (‘PCI DSS’).
First, on 10 April, the PCI SSC updated its Card Production Requirements (guidance published to help card producers secure the card production process from creation through to delivery). The requirements themselves are divided into two parts: Card Production Logical Security Requirements and Card Production Physical Security Requirements. The logical requirements apply to the personalisation of cards or the manipulation of card data, whereas the physical requirements deal with processes like the storage and mailing of cards. The update changes or adds requirements across a variety of issues, from card storage embossing to emergency exits; but although the PCI SSC maintain the standards, the emphasis is firmly upon payment companies themselves to manage assessments against these PCI requirements.
Second, in response to growing concerns about the vulnerabilities with the Secure Sockets Layer encryption protocol, the PCI DSS has updated its payment card data security standards to version 3.1. The National Institute of Standards and Technology felt that the previous standards placed card data at risk and failed to provide sufficient protection for data because of the old technologies it supported. The standards have already been a victim of browser attacks from both POODLE and BEAST, and the PCI SSC felt that upgrading to the more secure version of Transport Layer Security was the only way to remedy the protection problem. This updated version is effective immediately, but organisations have till 30 June 2016 to put the required standards in place.
These changes, combined with already released tokenisation product security guidelines and guidance on penetration testing, go further to emphasise the importance the PCI SSC places on protection of data within the financial industry. With the PCI Council’s capacity to issue fines or cut off an organisation’s ability to produce cards, data controllers in the financial sector should try to move to the updated standards as soon as possible.